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CLAIMS 



1 . A method for establishing a connection between a node of an outside address 
realm and a node of an inside address realm tlirough an intermediate communication 
gateway having a number of outside-realm gateway addresses for enabling outside- 
realm representation of inside-realm nodes, said method comprising the steps of: 

preparing, at said outside node, a user-resource identifier query that includes an 
inside node identifier as well as predetermined connection information including at least 
one of outside node address information and inside node port information; 

determining inside-realm network address information based on said inside node 
identifier included in said identifier query; 

identifying, based on said predetermined connection information included in said 
identifier query, an outside-realm gateway address to be used in establishing a dynamic 
gateway connection state for a flow between said outside node and said inside node 
through said gateway; and 

establishing said dynamic gateway connection state based on said identified 
outside-realm gateway address, said predetermined connection information included in 
said identifier query and said inside-realm network address information, thereby enabling 
an outside-realm initiated connection. 



2. The method according to claim 1, wherein said step of establishing said dynamic 
gateway connection state comprises the steps of: 

creating a partially con5}lete gateway connection state based on said identified 
outside-realm gateway address, said predetermined connection information included in 
said identifier query and said inside-realm network address information; and 

upon receipt of a packet fi-om said outside node to said gateway, transforming said 
partially complete gateway state into a complete gateway connection state based on 
complementary coimection information associated witti said packet. 
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3. The method according to claim 1, wherein said step of identifying an outside- 
realm gateway address comprises the step of identifying an outside-realm gateway 
address, which in combination with said predetermined inforaiation included in said 
identifier-query defines a partially complete outside-realm gateway state representation 
that has no counterpart in any existing partially complete gateway connection state. 

4. The method according to claim 3, furfher comprising the step of maintaining a 
separate list representation of existing partially complete gateway connection states, and 
wherein said partially complete outside-realm representation is identified based on 
comparison with corresponding information of all existing partially complete gateway 
connection states represented in said list representation. 

5. The method according to claim 4, wherein said step of identifying an outside- 
realm gateway address comprises the step of traversing outside-realm gateway addresses 
associated with said gateway until finding an outside-realm gateway address, which in 
combination with said predetermined coimection information included in said identifier 
query has no counterpart in any existing partially complete gateway connection state 
represented in said list representation, 

6. The method according to claim 4, wherein said step of identifying an outside- 
realm gateway address comprises the step of verifying that a pre-allocated oujside-realm 
gateway address in combination with said predetermined connection infomiation 
included in said identifier query has no counterpart in any existing partially complete 
gateway connection state represented in said list representation. 

1. The method according to claim 2, wherein said predetermined connection 
information included in said identifier query is an outside network address of said 
outside node, and said complementary connection information for completing the 
gateway connection state includes a port number of said inside node and a port number 
of said outside node. 
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8. The method according to claim 2, wherein said predetermined connection 
information included in said identifier query is an inside node port number, and said 
complementary connection information for completing the gateway connection state 
includes an outside network address of said outside node and a port number of said 
outside node. 

9. The method according to claim 1, further comprising the step of notifying said 
outside node of said identified outside-realm gateway address. 

10. The method according to claim 1, wherein said user-resource identifier query is a 
Domain Name Server (DNS) query. 

11. The method according to claim 1, wherein said inside address realm is a private 
address realm and said outside address realm is a public address realm. 

12. A system for establishing a cotmection between a node of an outside address 
realm and a node of an inside address realm through an intermediate communication 
gateway having a number of outside-realm gateway addresses for enabling outside- 
realm representation of inside-realm nodes, said system comprising: 

means, responsive to a user-resource identifier query firom said outside node, for 
determining inside-realm network address information based on an inside node identifier 
included in said identifier query, wherein said identifier query further includes 
predetermined coimection information including at least one of outside node address 
information and inside node port information; 

means for identifying, based on said predetermined connection information 
included in said identifier query, an outside-realm gateway address to be used in 
establishing a dynamic gateway connection state for a flow between said outside node 
and said inside node through said gateway; 

means for establishing said dynamic gateway connection state based on said 
identified outside-realm gateway address, said predetermined connection information 
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included in said identifier query and said inside-realm network address information, 
thereby enabling an outside-realm initiated connection. 

13. The system according to claim 12, wherein said means for establishing said 
dynamic gateway connection state comprises: 

means for creating a partially complete gateway connection state based on said 
identified outside-realm gateway address, said predetermined connection infomiation 
included in said identifier query and said inside-realm network address information; 

means for transforming; upon receipt of a packet from said outside node to said 
gateway, said partially complete gateway state into a complete gateway connection state 
based on complementary connection information associated with said packet. 

14. The system according to claim 12, wherein said means for identifying an outside- 
realm gateway address is operable for identifying an outside-realm gateway address, 
which in combination with said predetermined connection information included in said 
identifier-query defines a partially complete outside-realm gateway state representation 
that has no counterpart in any existing partially complete gateway connection state. 

15. The system according to claim 14, furfiier comprising means for maintaining a 
separate list representation of existing partially complete gateway connection states, and 
wherein said partially complete outside-realm represratation is identified based on 
comparison with corresponding information of all existing partially complete gateway 
connection states represented in said list representation. 

16. The system according to claim 15, wherein said means for identifying an outside- 
realm gateway address comprises means for traversing outside-realm gateway addresses 
associated with said gateway until finding an outside-realm gateway address, which in 
combination with said predetermined connection information included in said identifier 
query has no coxmterpart in any existing partially complete gateway connection state 
represented in said list representation. 
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17. The system according to claim 15, wherein said means for identifying an outside- 
realm gateway address comprises means for verifying that a pre-allocated outside-realm 
gateway address in combination with said predetermined connection information 
included in said identifier cjuery has no counterpart in any existing partially complete 
gateway connection state represented in said list representation. 

18. The system according to claim 13, wherein said predetermined connection 
information included in said identifier query is an outside network address of said 
outside node, and said complementary connection information for completing the 
gateway connection state includes a port number of said inside node and a port number 
of said outside node. 

19. The system according to claim 13, wherein said predetermined connection 
information included in said identifier query is an inside node port number, and said 
complementary connection infomiation for completing the gateway connection state 
includes an outside network address of said outside node and a port number of said 
outside node. 

20. The system according to claim 12, further comprising means for notifying said 
outside node of said identified outside-realm gateway address. 

21. The system according to claim 12, wherein said means for identifying an outside- 
realm gateway address, among the outside-realm gateway addresses associated with said 
gateway, includes a gateway resource manager. 

22. The system according to claim 12, wherein said user-resource identifier query is a 
Domain Name Server (DNS) query. 

23. The system according to claim 12, wherein said inside address realm is a private 
address realm and said outside address realm is a pubUc address realm. 
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24. A method for establishing a connection between a node of an outside address 
realm and a node of an inside address realm through an intermediate communication 
gateway, said method comprising the step of dynamically establishing, triggered by a 
user-resource identifier query initiated from said outside node, a gateway connection 
state for a flow between said outside node and said inside node through said gateway. 

25. The method according to claim 24, wherein said gateway connection state is 
dynamically established based on at least one of an outside network address of said 
outside node and a port number of said inside node included in said identifier query. 

26. A gateway resource manager for a communication gateway that has a number of 
outside-realm gateway addresses for enabling outside-realm representation of inside- 
realm nodes, said gateway resource manager comprising: 

means for receiving inside-realm network address information 
corresponding to an inside node and predetermined connection information including 
at least one of address information of an outside node and inside node port infonnation; 

means for identifying, based on said predetermined connection 
information, an outside-realm gateway address to be used in establishing a dynamic 
gateway connection state for a flow between said outside node and said inside node 
through said gateway; and 

means for requesting said gateway to establish said dynamic gateway 
connection state based on said identified outside-realm gateway address, said 
predetermined connection information and said inside-realm network address 
information. 

27. The gateway resource manager according to claim 26, wherein said predetermined 
connection information is an outside node address, and said requesting means is operable 
for requesting allocation of said identified outside-realm gateway address to said inside 
node for traffic coming £rom said outside node address. 
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28. The gateway resource manager according to claim 26, wherein said requesting 
means is operable for sending a request to said gateway for establishment of a partially 
complete gateway connection state based on said identified outside-realm gateway 
address, said predetermined coimection information and said inside-realm network 
address. 

29. The gateway resource manager according to claim 28, further comprising: 

means for receiving a reply from said gateway that said partially complete 
gateway connection state has been created; and 

means for notifying said outside node of said identified outside-realm 
gateway address in response to said reply from said gateway. 

30. The gateway resource manager according to claim 28, wherein said means for 
identifying an outside-realm gateway address is operable for identifying an outside-realm 
gateway address, which in combination with said predetermined information defines a 
partially complete outside-realm gateway state representation that has no counterpart in 
any existing partially complete gateway connection state, 

3 1 . The gateway resource manager according to claim 30, further comprising means for 
maintaining a list representation of existing partially complete gateway connection states, 
and wherein said partiedly complete outside-realm representation is identified based on 
comparison with corresponding information of all existing partially complete gateway 
connection states represented in said list representation. 

32. A method for establishing a connection between a node of an inside address 
l ealm and a node of an outside address realm through an intermediate communication 
gateway having a number of outside-realm gateway addresses for enabling outside- 
realm representation of inside-realm nodes, said method comprising the steps of: 

identifying, whenever possible, based on predetermined connection information, 
further connection information that in combination with said predetermined coimection 
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information defines an outside-realm gateway state representation that has no counterpart 
in a predetermined set of existing gateway connection states, said predetermined 
connection information including at least one of network address information and port 
information and said further connection information including an outeide-realm gateway 
address; and 

initiating establishment of said connection based on said outside-realm gateway 
state representation. 

33. The method according to claim 32, further comprising the step of maintaining a 
separate list representation of said predetermined set of existing gateway connection 
states, and wherein said outside-realm gateway state representation is identified based on 
comparison with corresponding information of said gateway connection states 
represented in said list representation. 

34. The method according to claim 32, wherein said predetermined connection 
information includes at least one of outside node address information and outside node 
port information, said outside-realm gateway state representation is an at least partially 
complete gateway state representation, and said predetermined set of gateway connection 
states includes the existing gateway connection states in said gateway. 

35. The mettiod according to claim 34, wherein said further connection information 
also includes associated gateway port information, said outside*realm representation is a 
complete outside-realm representation, and said step of initiating establishment of said 
connection comprises the step of requesting that said gateway creates a gateway 
connection state based on said complete outside-realm representation. 

36. The method according to claim 34, wherein said outside-realm representation is a 
partially complete outside-realm representation, and said step of initiating establishment 
of said connection comprises the step of requesting that said gateway creates a partially 
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complete gateway connection state based on said partially complete outside-realm 
representation. 

37. The method according to claim 36, further comprising the step of selecting, if said 
identification is not possible, an outside-realm gateway address among the least utilized 
outside-realm gateway addresses to define said partially complete outside-realm 
representation to be used for initiating estabhshment of said connection. 

38. The method according to claim 37, further comprising the step of verifying, upon 
receipt of a packet from said inside node to said gateway, that said partially complete 
outside-realm representation in further combination with inside node port information 
associated with said packet, defines a complete outside-realm gateway state 
representation that has no counterpart in any existing gateway connection state. 

39. The method according to claim 38, further comprising the step of transforming a 
partially complete gateway connection state created in said gateway based on said 
partially complete outside-realm representation into a complete gateway connection state 
based on said complete outside-realm representation, thereby completely establishing 
said connection. 

40. The method according to claim 32, wherein said predetermined connection 
information includes at least one of outside node address information and inside node 
port information, said outside-realm gateway state representation is a partially complete 
gateway state representation and said predetermined set of gateway connection states 
includes the existing partially complete gateway connection states in said gateway. 

41. The method according to claim 40, wherein said step of identifying further 
connection information including an outside-realm gateway address comprises the step 
of traversing outside-realm gateway addresses of the gateway until finding an outside- 
realm gateway address, which in combination with said predetermined connection 
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information has no counterpart in any existing partially complete gateway connection 
state. 

42. The method according to claim 40, wherein said step of identifying further 
connection information including an outside-realm gateway address comprises the step 
of verifying that a pre-allocated outside-realm gateway address in combination with said 
predeteiTOined connection information has no counterpart in any existing partially 
complete gateway connection state. 

43. The method according to claim 40, wherein said step of initiating establishment of 
said connection comprises the step of requesting that said gateway establishes a partially 
complete gateway connection state based on said partially complete outside-realm 
representation. 

44. The method according to claim 43, further comprising the step of ti-ansfonning, 
upon receipt of a packet from said outside node to said gateway, said partially complete 
gateway connection state that has been created in said gateway into a complete gateway 
connection state based on complementary connection information associated with said 
packet. 

45. The method according to claim 44, wherein said predetermined connection 
information is predetermined outside node address information, and said 
complementary connection information includes inside node port information and 
outside node port information. 

46. The method according to claim 44, wherein said predetermined connection 
information is predeteiTnined inside node port information, and said complementary 
connection information includes outside node address infonnation and outside node 
port infoiTnation. 
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47. The method according to claim 40, further comprising the steps of: 

selecting, if said identification is not possible based on predetermined inside 
node port information, another gateway port; and 

identifying further connection information including an outside-realm gateway 
address based on said selected gateway port to define a unique, partially complete 
outside-realm representation of a gateway connection state. 

48. The method according to claim 40, wherein said predetemiined connection 
information originates from a user-resource identifier query initiated from said outside 
node. 

49. A system for establishing a connection between a node of an inside address realm 
and a node of an outside address realm through a communication gateway having a 
number of outside-realm gateway addresses for enabling outside-realm representation 
of inside-realm nodes, said system comprising: 

means for identifying, whenever possible, based on predetermined connection 
information, further connection information fliat in combination with said predetermined 
connection information defines an outside-realm gateway state representation that has no 
counterpart in a predetemiined set of existing gateway connection stales, said 
predetermined connection infonnation including at least one of network address 
infoiTnation and port information and said further connection infonnation including an 
outside-realm gateway address; and 

means for initiating establishment of said cormection based on said outside-realm 
gateway state representation. 

50. The system according to claim 49, further comprising means for maintaining a 
separate list representation of said predetermined set of existing gateway connection 
states, and wherein said outside-realm gateway state representation is idenlified based on 
comparison with corresponding information of said gateway connection states 
represented in said list representation. 
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51. The system according to claim 49, wherein said predetermined connection 
information includes at least one of outside node address information and outside node 
poit infoirnation, said outside-realm gateway state representation is an at least partially 
complete gateway state representation, and said predetermined set of gateway connection 
states includes the existing gateway connection states in said gateway. 

52. The system according to claim 51, wherein said further connection information also 
includes associated gateway port information, said outside-realm representation is a 
complete outside-realm representation, and said means for initiating estabhslimcnt of said 
connection comprises means for requesting that said gateway creates a gateway 
connection state based on said complete outside-realm representation. 

53. The system according to claim 51, wherein said outside-realm representation is a 
partially complete outside-realm representation, and said means for initiating 
establisliment of said connection comprises means for requesting that said gateway 
creates a partially complete gateway connection state based on said partially complete 
outside-realm representation. 

54. The system according to claim 53, further comprising means for selecting, if said 
identification is not possible, an outside-realm gateway address among the least utilized 
outside-realm gateway addresses to define said partially complete outside-realm 
representation to be used for initiating establishment of said connection. 

55. The system according to claim 54, further comprising means for verifying, upon 
receipt of a packet from said inside node to said gateway, that said partially complete 
outside-realm representation in further combination with inside node port information 
associated with said packet, defines a complete outside-realm gateway state 
representation tliat has no counterpart in any existing gateway cormection stale. 
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56. The system according to claim 55, further comprising means for transforming a 
partially complete gateway connection state created in said gateway based on said 
partially complete outside-realm representation into a complete gateway connection state 
based on said complete outside-realm representation, thereby completely establishing 
said connection. 

57. The system according to claim 49, wherein said predetermined connection 
infonnation includes at least one of outside node address information and inside node 
port infomiation, said outside-realm gateway slate representation is a partially complete 
gateway state representation and said predetermined set of gateway connection states 
includes the existing partially complete gateway connection states in said gateway. 

58. The system according to claim 57, wherein said means for identifying further 
connection information including an outside-realm gateway address comprises means 
for ti'aversing outside-realm gateway addresses of the gateway until finding an outside- 
realm gateway address, which in combination with said predetermined connection 
information has no counterpart in any existing partially complete gateway connection 
state. 

59. The system according to claim 57, wherein said means for identifying ftirther 
connection information including an outside-realm gateway address comprises means 
for verifying that a pre-allocated outside-realm gateway address in combination with said 
predetermined connection information has no counterpart in any existing partially 
complete gateway connection state. 

60. The system according to claim 57, wherein said means for initiating establishment 
of said connection comprises means for requesting that said gateway establishes a 
partially complete gateway connection state based on said partially complete outside- 
realm representation. 
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CL 'I'he system according to claim 60, fiirther comprising means for transforming, upon 
receipt of a packet from said outside node to said gateway, said paitially complete 
gateway connection state that has been created in said gateway into a complete gateway 
connection state based on complementary connection information associated with said 
packet. 

62. The system according to claim 61, wherein said predetermined connection 
information is predetermined outside node address information, and said 
complementary connection infonnation includes inside node port infomiation and 
outside node port information. 

63. The system according to claim 61, wherein said predetemained connection 
information is predetermined inside node port information, and said complementary 
connection information includes outside node address information and outside node 
port infomiation. 

64. The system according to claim 57, further comprising means for selecting, if said 
identification is not possible based on predetermined inside node port infoimation, 
another gateway port, and wherein said identifying means is operable for identifying 
further connection information including an outside-realm gateway address based on said 
selected gateway port to define a unique, partially complete outside-realm representation 
of a gateway comiection state. 

65. The method according to claim 57, wherein said predetermined connection 
information originates from a user-resource identifier query initiated from said outside 
node. 



